CN111277406A - Block chain-based safe two-direction quantity advantage comparison method - Google Patents

Abstract

The invention belongs to the field of cryptography and information security, and particularly relates to a block chain-based security two-direction quantity advantage comparison method. The method adopts the block chain and cloud outsourcing computation as a basic framework, utilizes the block chain as a driving tool, and replaces a trusted third party to manage and supervise the whole computation process, thereby ensuring that the vector can normally run. By utilizing cloud outsourcing computation, heavy computing tasks are transferred from users to outsourcing servers with enough computing power, the burden of the users is reduced, and extra computing resources are fully utilized. The cloud outsourcing computation and the block link are combined, a reliable reward punishment mechanism is provided, the computing overhead of a user is reduced, meanwhile, the attack cost of a malicious server is greatly increased, and therefore the semi-honest model protocol which is severely limited in actual operation originally is guaranteed.

Description

Block chain-based safe two-direction quantity advantage comparison method

Technical Field

The invention belongs to the field of cryptography and information security, and particularly relates to a block chain-based security two-direction quantity advantage comparison method.

Background

With the rapid development of information technology, the internet becomes more and more important in people's daily life. In recent years, internet applications and services have emerged as bamboo shoots in the spring after rain. Although these internet applications bring great convenience to people's lives, many applications also collect a large amount of user data in the process, and thus this also raises concerns about the disclosure of private information. As a technology for effectively protecting privacy, multi-party security computing is one of the major concerns of researchers, and it focuses on how to utilize private information of participants to complete related computing tasks in a distributed scenario. The advantage comparison of two directional quantities is a sub-topic of multi-party safety calculation, is an extension of single digital comparison, and simultaneously adds new limiting conditions. Assuming that Alice and Bob respectively hold private vector a and vector B, which require Alice and Bob to be able to compare to see if there is a situation where all elements in one vector are larger than the corresponding elements in the other vector, and in this process, neither the element information in the vector nor the size relationship of the corresponding elements can be exposed to the other. The advantage comparison of the two directional quantities is used as a sub-topic of multi-party security calculation, a large number of technologies based on the knowledge of cryptography are used, and the method belongs to the fields of cryptography and information security.

In 2001, Atallah et al first proposed a definition of the comparison of the superiority of two directional quantities and presented a method of using permutation and obfuscation inputs to accomplish the comparison. By obfuscating the input and permutation, Atallah expands the two n-dimensional vectors A and B into a 4 n-dimensional vector A 'and a vector B', and then compares the elements one by one with A 'and B'. In 2006, Ibrahim proposed a new algorithm, which first calculates whether there is a vector advantage by using elements of corresponding positions, and after determining that there is a vector advantage, the second calculates the sum of elements of respective vectors, and then compares the sum to determine which vector is the advantage. In 2008 Jin et al proposed a bitwise ratio-based approach to solve the vector dominance problem. Firstly, Alice sends an encryption key and encrypted vector bits to Bob, and Bob calculates the difference value of corresponding bits of corresponding elements in an encrypted environment after receiving Alice data and accumulates the difference value. And Bob sends the accumulated result to Alice after confusion, and the Alice judges whether the vectors have advantage comparison or not according to the difference after decryption.

Although the above methods can solve the problem of comparing the two directional quantities, they are only applicable to a semi-honest model, that is, participants must honestly execute each step and cannot resist malicious behaviors. Meanwhile, the method proposed by Atallah uses a trusted third party, and the feasibility is lacked in practical use. The Ibrahim method is lack of the condition of equal vector nodes, and may cause the privacy of the user to be revealed on the premise of not performing preprocessing. Meanwhile, the user needs to do a large amount of calculation and communication operations by the method, and more expenses are brought to the user.

Disclosure of Invention

In order to overcome the defects in the prior art, the invention provides a block chain-based safe two-direction quantity advantage comparison method, which transfers heavy computing tasks from users to outsourcing servers with enough computing power by using cloud outsourcing computing, reduces the burden of the users and fully utilizes additional computing resources.

In order to solve the technical problems, the invention adopts the technical scheme that: a block chain-based safe two-direction quantity advantage comparison method comprises the following steps:

s1, assuming that Alice holds vector A ═ a₁... a_n]Bob holds a vector B ═ B₁... b_n]Each element may be represented as a K-bit integer;

s2, key agreement: alice and Bob communicate to negotiate parameters p, q required for ELGamal encryption, each in group Z_qIn the random element S_A、S_BAnd calculate

To obtain

At G_qSelecting f as element, using h, f and group G_qThe generator g constructs an encryption key (g, h, f); wherein p and q are two large prime numbers, and satisfy the condition that p is 2q +1, G_qIs a group

The q-order multiplier subgroup of (1), whose generator is g;

s3, secret sharing is carried out on own data by Alice according to bits, and a matrix A is equal to [ a ]₁... a_n]Each element a of_iIs divided into K shares, wherein i is more than or equal to 1 and less than or equal to n,each share comprising the element a_iA bit of (a) can be expressed as [ a ]_i]_p＝[[a_i1]_p[a_i2]_p... [a_ik]_p]Wherein [ a ]_ik]_pE {0, 1 }; at the same time, Alice calculates a_iOf longest prefix of a'_iLength J of_iAnd Alice shares the data J_iAnd encryption keys (g, h, f) are uploaded to the blockchain;

s4.Bob calculates the prefix set of each element according to the vector B of the Bob, and for each element B_iWhere 1 ≦ i ≦ n, Bob calculates b using a zero-coding algorithm_iAll prefixes are obtained to contain K_iSet of individual elements

Bob will each

Bit-wise secret sharing

Wherein

m_jTo represent

Then upload the data to the blockchain;

s5, the block chain receives the data uploaded by Alice and Bob, the data and the calculation tasks are distributed to the calculation nodes for calculation, and the encrypted data y is obtained through calculation_i，KWherein i is more than or equal to 1 and less than or equal to n;

s6. in step S5, the ith round can obtain y_i，KAnd after the last n rounds of calculation are finished, the block chain and the calculation node can obtain Y through communication and calculation_1，K·y_2，K...·y_n，K(x, Y), returning the result Y to Alice and Bob;

s7, according to the requirement of ELGamal cryptosystem, utilizing the step S2 by Alice and BobS of_A、S_BAnd x in Y obtained in step S6, respectively

And

and exchange, then decrypt Y, if the result of decryption

Then a > B, i.e. vector a has vector dominance to vector B, otherwise vector a has no vector dominance to vector B.

Further, the step S5 specifically includes: firstly, a block chain randomly selects 2K computing nodes, and each node acquires a_iAnd

then the 2K nodes repeat the following operations n times, where i is 1, 2.. n;

s51, responsible for [ a ]_i]_pNode of (2) from group Z_qTwo random numbers are selected

And

let node hold

This bit, i corresponds to the position of the element in A, j corresponds to the number of rounds, l denotes the position in element a_iThe position of (1);

when J is 1, it is responsible for the former J_iThe nodes of the bits are calculated as follows, wherein l is more than or equal to 1 and less than or equal to K:

if it is

Generating vectors

If it is

Generating vectors

Node-generated vector of other bits

When J > 1, it is responsible for the first J_iThe node of the bit is based on the received y_i，j-1The following calculation is carried out, wherein l is more than or equal to 1 and less than or equal to K:

if it is

Generating vectors

If it is

Generating vectors

Node-generated vector of other bits

S52, responsible for [ a ]_i]_pThe node(s) sends the calculated vector(s) to the blockchain, which forwards the vector(s) to the corresponding blockchain

A node of (2);

s53, is responsible for

After receiving the vector, the node ofSelecting a certain element in the vector according to own data; let node hold

i and j correspond to

In the middle position, l, 1 is not less than l but not more than m_jIs shown in the element

The position of (1); when j is more than or equal to 1 and less than or equal to K_iWhen, if

Then select z [ i, j, l]＝z[i，j，0]If, if

Then select z [ i, j, l]＝z[i，j，1](ii) a The node communication is calculated to obtain y_i，j＝z[i，j，m_j]·z[i，j，m_j-1]...·z[i，j，1]E (0); when (K)_iJ is more than or equal to +1) and less than or equal to K, in Z_nIn the random selection of element r_jCalculating

Node then will y_i，jReturning to the block chain;

and S54, when j is 2, 3.. K, returning to the step S51 and performing the next round of calculation, and after the K-th round is finished, obtaining the encrypted data y by the node through calculation_i，KWherein i is more than or equal to 1 and less than or equal to n.

In the present invention, the ELGamal encryption framework includes:

and (3) key generation: p and q are two large prime numbers, and satisfy the condition that p is 2q + 1; g_qIs a group

The q-order multiplier subgroup of (1), whose generator is g; alice in group Z_qIn the method, an element S is randomly selected_ABob in group Z_qIn the method, an element S is randomly selected_B(ii) a Alice and Bob respectivelyComputing

And

and exchange to obtain

At G_qSelecting an element f to obtain an encrypted public key (g, h, f);

encryption operation: given plaintext m ∈ Z_qThe encryption can obtain E (m) (x, y) (g)^α，h^αf^m) Wherein α is at Z_qRandom elements selected from (1);

and (3) decryption operation: given the ciphertext, c ═ x, y, Alice and Bob respectively compute and share

And

can be decrypted to obtain

In the method, the block chain and cloud outsourcing computation are used as a basic framework, the block chain is used as a driving tool to replace a trusted third party to manage and supervise the whole computation process, and the vector can be ensured to normally run. By utilizing cloud outsourcing computation, heavy computing tasks are transferred from users to outsourcing servers with enough computing power, the burden of the users is reduced, and extra computing resources are fully utilized. Each computing server must register in the blockchain and mortgage certain electronic assets in the blockchain as a guarantee deposit. If the server does not calculate according to the protocol in the calculation process, the block chain can punish the electronic assets of the server, deduct the electronic assets of the server and compensate the honestly operated nodes and users. While the electronic assets of the honestly running nodes can be freely retrieved after the computing task and can receive the honest rewards from the blockchain and the service fee of the user. Therefore, cloud outsourcing computation and block linking are combined, a reliable reward punishment mechanism is provided, computing overhead of a user is reduced, meanwhile, attack cost of a malicious server is greatly increased, and accordingly, the semi-honest model protocol which is severely limited in actual operation originally is guaranteed. Servers may prefer to operate honestly rather than breaking agreements in order to obtain rewards, causing their assets to be compromised.

And (3) analyzing efficiency: the overhead of the scheme is divided into two parts, namely calculation overhead and communication overhead. For users Alice and Bob, the main overhead comes from key agreement and uploading data, and their communication overhead is o (nk). For the cloud servers, data of users need to be received and encrypted for comparison, the communication overhead position O (nK) of a single server is calculated, the overhead position O (nK) is calculated, and the total overhead of all the cloud servers is O (nK)²) N represents the number of user vector elements, and K represents the length of a single element.

And (3) safety analysis: the scheme uses zero coding and privacy protection prefix detection. Assuming vector A has a vector dominance over vector B, then element B in vector B_iZero-code-set of

Must contain the corresponding element a_iThe prefix of (2). In step S5 of the present scheme, for each element a_iAnd

each element in (1)

All carry out privacy protection prefix test if

Element a_iFor the resulting y_i，j＝E(R_i，j) In which is R_i，j0. If there is a vector dominance of A over B, the final aggregated results

And d (y) 1. Whereas if the vector dominance of A over B does not hold, then there is i ', j' such that R_i′，j′Not equal to 0, and thus the final result

While

Due to R_i′，j′Randomly generated by the server, so that there is only a very small probability R_i′，j′0, so the scheme is complete.

Compared with the prior art, the beneficial effects are: according to the block chain-based safe two-direction quantity advantage comparison method, the block chain and cloud outsourcing calculation are used as a basic framework, the block chain is used as a driving tool, a trusted third party is replaced to manage and supervise the whole calculation process, and the vector can be ensured to normally run. By utilizing cloud outsourcing computation, heavy computing tasks are transferred from users to outsourcing servers with enough computing power, the burden of the users is reduced, and extra computing resources are fully utilized. The cloud outsourcing computation and the block link are combined, a reliable reward punishment mechanism is provided, the computing overhead of a user is reduced, meanwhile, the attack cost of a malicious server is greatly increased, and therefore the semi-honest model protocol which is severely limited in actual operation originally is guaranteed.

Detailed Description

A block chain-based safe two-direction quantity advantage comparison method comprises the following steps:

s1, assuming that Alice holds vector A ═ a₁... a_n]Bob holds a vector B ═ B₁... b_n]Each element may be represented as a K-bit integer;

s2, key agreement: common to Alice and BobThe parameters p, q required for the ELGamal encryption are negotiated, each in the group Z_qIn the random element S_A、S_BAnd calculate

To obtain

At G_qSelecting f as element, using h, f and group G_qThe generator g constructs an encryption key (g, h, f); wherein p and q are two large prime numbers, and satisfy the condition that p is 2q +1, G_qIs a group

The q-order multiplier subgroup of (1), whose generator is g;

s3, secret sharing is carried out on own data by Alice according to bits, and a matrix A is equal to [ a ]₁... a_n]Each element a of_iIs divided into K shares, wherein i is more than or equal to 1 and less than or equal to n, and each share contains an element a_iA bit of (a) can be expressed as [ a ]_i]_p＝[[a_i1]_p[a_i2]_p... [a_ik]_p]Wherein [ a ]_ik]_pE {0, 1 }; at the same time, Alice calculates a_iOf longest prefix of a'_iLength J of_iAnd Alice shares the data J_iAnd encryption keys (g, h, f) are uploaded to the blockchain;

s4.Bob calculates the prefix set of each element according to the vector B of the Bob, and for each element B_iWhere 1 ≦ i ≦ n, Bob calculates b using a zero-coding algorithm_iAll prefixes are obtained to contain K_iSet of individual elements

Bob will each

Secret sharing by security position

Wherein

m_jTo represent

Then upload the data to the blockchain;

s5, the block chain receives the data uploaded by Alice and Bob, the data and the calculation tasks are distributed to the calculation nodes for calculation, and the encrypted data y is obtained through calculation_i，kWherein i is more than or equal to 1 and less than or equal to n;

s6. in step S5, the ith round can obtain y_i，KAnd after the last n rounds of calculation are finished, the block chain and the calculation node can obtain Y through communication and calculation_1，K·y_2，K...·y_n，_K(x, Y), returning the result Y to Alice and Bob;

s7, according to the requirement of an ELGamal cryptosystem, utilizing the S in the step S2 by Alice and Bob_A、S_BAnd x in Y obtained in step S6, respectively

And

and exchange, then decrypt Y, if the result of decryption

Then a > B, i.e. vector a has vector dominance to vector B, otherwise vector a has no vector dominance to vector B.

Wherein, the step S5 specifically includes: firstly, a block chain randomly selects 2K computing nodes, and each node acquires a_iAnd

then the 2K nodes repeat the following operations n times, where i is 1, 2.. n;

s51, responsible for [ a ]_i]_pNode of (2) from group Z_qTwo random numbers are selected

And

let node hold

This bit, i corresponds to the position of the element in A, j corresponds to the number of rounds, l denotes the position in element a_iThe position of (1);

when J is 1, it is responsible for the former J_iThe nodes of the bits are calculated as follows, wherein l is more than or equal to 1 and less than or equal to K:

if it is

Generating vectors

If it is

Generating vectors

Node-generated vector of other bits

When J > 1, it is responsible for the first J_iThe node of the bit is based on the received y_i，j-1The following calculation is carried out, wherein l is more than or equal to 1 and less than or equal to K:

if it is

Generating vectors

If it is

Generating vectors

Node-generated vector of other bits

S52, responsible for [ a ]_i]_pThe node(s) sends the calculated vector(s) to the blockchain, which forwards the vector(s) to the corresponding blockchain

A node of (2);

s53, is responsible for

After receiving the vector, the node selects a certain element in the vector according to own data; let node hold

i and j correspond to

In the middle position, l, 1 is not less than l but not more than m_jIs shown in the element

The position of (1); when j is more than or equal to 1 and less than or equal to K_iWhen, if

Then select z [ i, j, l]＝z[i，j，0]If, if

Then select z [ i, j, l]＝z[i，j，1](ii) a The node communication is calculated to obtain y_i，j＝z[i，j，m_j]·z[i，j，m_j-1]...· z[i，j，1]E (0); when (K)_i+1)≤j≤K is at Z_nIn the random selection of element r_jCalculating

Node then will y_i，jReturning to the block chain;

and S54, when j is 2, 3.. K, returning to the step S51 and performing the next round of calculation, and after the K-th round is finished, obtaining the encrypted data y by the node through calculation_i，KWherein i is more than or equal to 1 and less than or equal to n.

The following are some algorithms relevant to the present invention:

the ELGamal encryption framework comprises:

and (3) key generation: p and q are two large prime numbers, and satisfy the condition that p is 2q + 1; g_qIs a group

The q-order multiplier subgroup of (1), whose generator is g; alice in group Z_qIn the method, an element S is randomly selected_ABob in group Z_qIn the method, an element S is randomly selected_B(ii) a Alice and Bob calculate separately

And

and exchange to obtain

At G_qSelecting an element f to obtain an encrypted public key (g, h, f);

encryption operation: given plaintext m ∈ Z_qThe encryption can obtain E (m) (x, y) (g)^α，h^αf^m) Wherein α is at Z_qRandom elements selected from (1);

and (3) decryption operation: given the ciphertext, c ═ x, y, Alice and Bob respectively compute and share

And

can be decrypted to obtain

2. Zero coding: suppose that there is a binary string of length k, s ═ s(s)₁s₂...s_k) Wherein s is_i(i∈[1，k]) Representing a bit, its zero encoding can be expressed as:

zero coding plays an important role in digital comparison, and has the following properties: given two binary strings a and b of length k, zero-coding of b if and only if a > b

The set contains the prefix of a.

3. Privacy protection prefix detection:

the magnitude relationship of the two numbers can be detected according to the nature of the zero-coding. Suppose Alice has a binary string a ═ a_ka_k-1...a₁) Bob has a binary string of b ═ b_kb_k-1...b₁) And Alice and Bob can judge whether the zero code of b is the prefix of a through privacy protection prefix detection, so as to judge the size relationship between a and b. The complete process is as follows:

1) bob calculates the zero code of b according to the character string b to obtain the code containing k_jSet of individual elements

Setting a binary representation of one of the elements to be measured as

Length of it

2) Alice calculates the longest prefix a 'of a using a zero-coding algorithm, and the length is | a' | ═ J_aAnd in Z_qIn randomly selecting two elements r₀、r₁Constructing a 2 xK matrix

Wherein each element of Z is as follows:

when k is more than or equal to i and more than or equal to J_aAnd a is_iWhen the content is equal to 0, the content,

when k is more than or equal to i and more than or equal to J_aAnd a is_iWhen the number is equal to 1, the alloy is put into a container,

when J is_aWhen i is more than or equal to 1 and more than or equal to-1,

alice sends the matrix Z to Bob;

3) bob is based on the matrix Z,

Computing

Then Bob and combine y_jSending the data to Alice;

4) alice and Bob will be y_jDecryption is performed if D (y)_j) 1, then

Is a prefix of a, and can be deduced as a > b.

4. Secret sharing: secret sharing is generally divided into two parts, sharing and reconstructing. The sharing is to decompose the secret into several shares, and the reconstruction is to recombine the several shares into the secret. The (n, t) secret sharing means that the secret is divided into n shares, any t +1 shares can be used for reconstructing the secret, and the secret cannot be reconstructed if the shares are less than or equal to t. In the invention, a secret sharing mechanism of bit sharing is used, namely, an integer of k bits is shared into k shares, and each share has one bit.

It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (3)

1. A block chain-based safe two-direction quantity advantage comparison method is characterized by comprising the following steps:

s1, assuming that Alice holds vector A ═ a₁...a_n]Bob holds a vector B ═ B₁...b_n]Each element may be represented as a K-bit integer;

s2, key agreement: alice and Bob communicate to negotiate parameters p, q required for ELGamal encryption, each in group Z_qIn the random element S_A、S_BAnd calculate

To obtain

At G_qSelecting f as element, using h, f and group G_qThe generator g constructs an encryption key (g, h, f); wherein p and q are two large prime numbers, and satisfy the condition that p is 2q +1, G_qIs a group

The q-order multiplier subgroup of (1), whose generator is g;

s3, secret sharing is carried out on own data by Alice according to bits, and a matrix A is equal to [ a ]₁...a_n]Each element a of_iIs divided into K shares, wherein i is more than or equal to 1 and less than or equal to n, and each share contains an element a_iA bit of (a) can be expressed as [ a ]_i]_p＝[[a_i1]_p[a_i2]_p...[a_ik]_p]Wherein [ a ]_ik]_pE {0, 1 }; at the same time, Alice calculates a_iOf longest prefix of a'_iLength J of_iAnd Alice shares the data J_iAnd encryption keys (g, h, f) are uploaded to the blockchain;

s4.Bob calculates the prefix set of each element according to the vector B of the Bob, and for each element B_iWhere 1 ≦ i ≦ n, Bob calculates b using a zero-coding algorithm_iAll prefixes are obtained to contain K_iSet of individual elements

Bob will each

Bit-wise secret sharing

Wherein

m_jTo represent

Then upload the data to the blockchain;

s5, the block chain receives the data uploaded by Alice and Bob, the data and the calculation tasks are distributed to the calculation nodes for calculation, and the encrypted data y is obtained through calculation_i，KWherein i is more than or equal to 1 and less than or equal to n;

s6. in step S5, the ith round can obtain y_i，KAnd after the last n rounds of calculation are finished, the block chain and the calculation node can obtain Y through communication and calculation_1，K·y_2，K...·y_n，K(x, Y), returning the result Y to Alice and Bob;

s7, according to the requirement of an ELGamal cryptosystem, utilizing S in the step S2 by Alice and Bob_A、S_BAnd x in Y obtained in step S6, respectively

And

and exchange, then decrypt Y, if the result of decryption

Then a > B, i.e. vector a has vector dominance to vector B, otherwise vector a has no vector dominance to vector B.

2. The block chain-based secure two-direction quantity advantage comparison method according to claim 1, wherein the step S5 specifically includes: firstly, a block chain randomly selects 2K computing nodes, and each node acquires a_iAnd

then the 2K nodes repeat the following operations n times, where i is 1, 2.. n;

s51, responsible for [ a ]_i]_pNode of (2) from group Z_qTwo random numbers are selected

And

let node hold

This bit, i corresponds to the position of the element in A, j corresponds to the number of rounds, l denotes the position in element a_iThe position of (1);

when J is 1, it is responsible for the former J_iThe nodes of the bits are calculated as follows, wherein l is more than or equal to 1 and less than or equal to K:

if it is

Generate vector [ [ z [ i, l, 0 ]]＝E(0)，

If it is

Generating vectors

Node-generated vector of other bits

When J > 1, it is responsible for the first J_iThe node of the bit is based on the received y_i，j-1The following calculation is carried out, wherein l is more than or equal to 1 and less than or equal to K:

if it is

Generating vectors

If it is

Generating vectors

Node-generated vector of other bits

S52, responsible for [ a ]_i]_pThe node(s) sends the calculated vector(s) to the blockchain, which forwards the vector(s) to the corresponding blockchain

A node of (2);

s53, is responsible for

After receiving the vector, the node selects a certain element in the vector according to own data; let node hold

i and j correspond to

In the middle position, l, 1 is not less than l but not more than m_jIs shown in the element

The position of (1); when j is more than or equal to 1 and less than or equal to K_iWhen, if

Then select z [ i, j, l]＝z[i，j，0]If, if

Then select z [ i, j, l]＝z[i，j，1](ii) a The node communication is calculated to obtain y_i，j＝z[i，j，m_j]·z[i，j，m_j-1]...·z[i，j，1]E (0); when (K)_iJ is more than or equal to +1) and less than or equal to K, in Z_nIn the random selection of element r_jCalculating

Node then will y_i，jReturning to the block chain;

and S54, when j is 2, 3.. K, returning to the step S51 and performing the next round of calculation, and after the K-th round is finished, obtaining the encrypted data y by the node through calculation_i，KWherein i is more than or equal to 1 and less than or equal to n.

3. The block chain-based secure two-direction quantity advantage comparison method according to claim 2, wherein the ELGamal encryption framework comprises:

and (3) key generation: p and q are two large prime numbers, and satisfy the condition that p is 2q + 1; g_qIs a group

The q-order multiplier subgroup of (1), whose generator is g; alice in group Z_qIn the method, an element S is randomly selected_ABob in group Z_qIn the method, an element S is randomly selected_B(ii) a Alice and Bob calculate separately

And

and exchange to obtain

At G_qSelecting an element f to obtain an encrypted public key (g, h, f);

encryption operation: given plaintext m ∈ Z_qThe encryption can obtain E (m) (x, y) (g)^α，h^αf^m) Wherein α is at Z_qRandom elements selected from (1);

and (3) decryption operation: given the ciphertext, c ═ x, y, Alice and Bob respectively compute and share

And

can be decrypted to obtain